CVE-2021-26539
published 2021-02-08CVE-2021-26539: Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.95%
77.8th percentile
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | sanitize-html | < 2.3.1 | 2.3.1 |
| apostrophecms | sanitize-html | >= 0 < 2.3.1 | 2.3.1 |
| debian | node-sanitize-html | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_debian5.3LOW
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation
vendor_redhat·2021-01-22·CVSS 5.3
CVE-2021-26539 [MEDIUM] CWE-20 sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation
sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
Package: servicemesh-prometheus (OpenShift Service Mesh 2.0) - Affected
Debian
CVE-2021-26539: node-sanitize-html - Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle inte...
vendor_debian·2021·CVSS 5.3
CVE-2021-26539 [MEDIUM] CVE-2021-26539: node-sanitize-html - Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle inte...
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
Scope: local
bookworm: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
Improper Input Validation in sanitize-html
ghsa·2021-05-06
CVE-2021-26539 [MEDIUM] CWE-20 Improper Input Validation in sanitize-html
Improper Input Validation in sanitize-html
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
OSV
Improper Input Validation in sanitize-html
osv·2021-05-06
CVE-2021-26539 [MEDIUM] Improper Input Validation in sanitize-html
Improper Input Validation in sanitize-html
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://advisory.checkmarx.net/advisory/CX-2021-4308https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22https://github.com/apostrophecms/sanitize-html/pull/458https://advisory.checkmarx.net/advisory/CX-2021-4308https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22https://github.com/apostrophecms/sanitize-html/pull/458
2021-02-08
Published